Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
801
Views
0
Helpful
2
Replies

Remote Access VPN problem with failover internet connection at remote site

it
Level 1
Level 1

‎05-19-2011 09:38 AM - edited ‎02-21-2020 05:21 PM

Hi Everyone,

I have sort of a conundrum.

I have two sites:  Site 1 is the Corporate HQ and Site 2 is located nearby.  The two sites are connected via a layer 2 wireless bridge and Site 2 has a backup cable internet connection in case the wifi bridge goes down.  If that happens, a VPN is established to the ASA 5510 border firewall at the HQ.  Additionally, users for both sites are configured to connect via IPSEC VPN to the ASA in Site 1 (HQ).

This all works fine.  The issue is this; if the wireless bridge goes down and the backup VPN is established, remote VPN users can't access Site 2.  The problem is that there's no NAT translation from the RA VPN network to Site 2's network over the VPN.  I could create a NAT translation but when the wireless bridge is back online and the VPN is no longer active, the user's won't be able to connect to Site 2 because there's a NAT translation that pointing their traffic to a VPN tunnel that doesn't exist.

Can I create some sort of NAT policy that is only active when the VPN is online?

Thanks!

Labels:
0 Helpful
2 Replies 2

Yudong Wu
Level 7
Level 7

‎05-19-2011 01:33 PM

can you post your related NAT configuration here and clarify the following questions?

1. Is site 2 VPN terminated on the same interface on HQ ASA as remote vpn?

2. If yes, when remote vpn user need access site 2, it will make a U-turn on HQ ASA, did you enable "same-security-traffic permit intra-interface" and change crypto ACL for site-2-site VPN to site 2 to include the traffic between remote vpn client IP and site 2 internal IP?

3. What error message did you see on HQ ASA when remote vpn user was trying to access site 2?

0 Helpful

it
Level 1
Level 1
In response to Yudong Wu

‎05-20-2011 07:38 AM

Thanks for your response.

Here's the SNAT that enables Site 1 to communicate with Site 2 via the failover VPN:

nat (inside,outside) source static 20.1.1.0 255.255.0.0 destination static 30.1.1.0 255.255.0.0

20.1.1.0 = Site 1 (HQ)

30.1.1.0 = Site 2

1. Is site 2 VPN terminated on the same interface on HQ ASA as remote vpn?

Yes

2.  If yes, when remote vpn user need access site 2, it will make a U-turn  on HQ ASA, did you enable "same-security-traffic permit intra-interface"  and change crypto ACL for site-2-site VPN to site 2 to include the  traffic between remote vpn client IP and site 2 internal IP?

I haven't; I will try this.

3. What error message did you see on HQ ASA when remote vpn user was trying to access site 2?

There weren't any errors that I can recall.  However I will try the suggestions from # 2 this weekend and pay closer attention to the syslog.  I'll report back with my findings.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents